LoFP LoFP / legitimate usage by an administrator

Techniques

Sample rules

New Virtual Smart Card Created Via TpmVscMgr.EXE

Description

Detects execution of “Tpmvscmgr.exe” to create a new virtual smart card.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: create
selection_img:
  Image|endswith: \tpmvscmgr.exe
  OriginalFileName: TpmVscMgr.exe

Rebuild Performance Counter Values Via Lodctr.EXE

Description

Detects the execution of “lodctr.exe” to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: ' -r'
selection_img:
  Image|endswith: \lodctr.exe
  OriginalFileName: LODCTR.EXE